On Sat, Jun 23, 2018 at 10:45 PM Paul Vixie <p...@redbarn.org> wrote:
> > Joe Abley wrote: > > I think a pragmatic solution needs to work in unsigned zones. > > > > ... > > can someone ask the IAB to rule on whether any new internet technology > standard should address unsigned DNS zones, or for that matter, IPv4 > networks? > I have to agree with Joe here. I have no problem with the IAB/IETF requiring that new DNS enhancements need to be compatible with and work with DNSSEC - and I support that requirement. But if they don't also work with unsigned zones, then they will face a critical deployment obstacle in today's Internet environment, where DNSSEC is still largely undeployed. So I think for each new enhancement proposal, we need to evaluate this obstacle, and determine if it's worth doing the work. In particular, for the various type specific alias proposals that are the topic of this thread, the target audience is extensively deployed sites on the Internet. And if you survey all the sites that use apex CNAME hacks today, I suspect that you will find a very small minority of them have deployed DNSSEC. And so, if the proposed solution requires DNSSEC, it is not really solving the problem in the field. Maybe it will a decade down the road (if DNSSEC gets wide update by then, which is by no means certain), but I assume we want to solve the problem on a somewhat smaller time frame. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop